Episode 67

Custom development is very common. Despite the ubiquitous offerings from off-the-shelf solutions, organizations often find that their specific needs cannot be fully addressed by what is available on the market. In this case, a custom solution is developed, which will contain source code. This blog will cover source code escrow, a process to protect everyone involved if the relationship goes sour.

Some organizations manage development internally and exercise both full control and responsibility over the source code. However, some firms will outsource the development and potentially even the operation and management, too. If your organization is in this latter case, do you know where your source code is? If your vendor went bankrupt, or stopped supporting your application, can you recover the latest version of your source code? Maybe you do not own the software but license use of it; would you be able to recover the source code? Source code escrow is a service that protects both the user and the vendor by having a neutral 3rd party escrow agent hold the source code until a mutually agreed upon event occurs.

racecar

From the user’s perspective, losing access to the source code is a major risk to the business. Sometimes it is not that the vendor goes bankrupt but either stops maintaining the application or service quality drops below an acceptable level. If the application runs mission critical services, then the organization is at the mercy of the good faith and capacity of the vendor. From the vendor’s perspective, if they own the source code, giving access to the source code could put their business at risk. How would the vendor keep the source code safe and secret? Another situation would be that the user owns the source code but it is stewarded by the software vendor, even in this case, it is very common for the user to not have a reliable way to access the most recent version of their source code.

To mitigate this risk for both parties, it is common practice to store the source code with an independent 3rd party escrow agent. When selecting an escrow agent consider the following: How long have they been in business? Where do they store the data? How confident are you in their technical expertise? Is there active development being undertaken on the code? How would changes be delivered to the escrow agent? What are the release conditions? If conditions are met, does the code get released or destroyed?

While likely never needed, this often forgotten risk mitigation step can be a critical piece of insurance for your organization.